Apple vs. The FBI
What Will It Mean for the Rest of Us When It Comes to Smartphone Security?

by Ian W. Staff Writer at FlexiSPY

For those who are unaware, the FBI is currently petitioning Apple to let its iPhone encryption be cracked. The FBI wants Apple to allow them access to a phone linked to the San Bernardino terrorist attack on on December 2nd 2015 which killed 14 people.

Apple have already gone on record to state that they do not wish to grant the FBI access to the data on the device (an iPhone 5C belonging to Syed Rizwan Farook) but what does this really mean? Are Apple siding with the terrorists or are they protecting their own self interests?  What does it mean for the rest of us who feel we may need to encrypt our devices?  Surely, if this encryption can be bypassed at any time from those above, hasn’t our privacy already been compromised?

Why encrypt your phone if you have nothing to hide?

There is the old saying of being innocent until proven guilty.  So should the average consumer really need to encrypt their phone and, if they chose to, are they not admitting that they have something to hide?  Otherwise, why the need for such secrecy with their smartphone data?

Encryption is there as an extra level of protection but it is something that nearly most of us will never need to use.  However Apple likes to be cautious and, since it released iOS 8, device data such as photos, messages, contacts and reminders are encrypted by default.  That means you are encrypting your own data without being asked or told.  But it’s okay because if Apple does it must be acceptable, right?

Is that a good thing?  Or are Apple assuming that everyone inevitably has something to hide and that is why you don’t get a choice to not encrypt your data?  Are Apple advocating nefarious uses of their own devices by doing this and is their stand against the FBI merely making the world’s wealthiest technology company now a haven for criminals?  US law enforcement thinks so.

Is Apple advocating terrorism?

Apple’s smartphones are the most widely used on the planet so it makes sense that these devices won’t always be used by the cleanest of people. They are highly sought after and are seen as a status symbol in most countries, with such a large customerbase Apple has to look as if it takes its customers data and security seriously.

Except there was that issue with iCloud being hacked and tons of leaked photos of celebrities being leaked as iCloud was compromised…

…and there was that time where the Apple device passcode could be easily bypassed.

…oh and right now you can permanently brick an Apple device by setting the date to January 1st, 1970.

So, perhaps, in hindsight, Apple could have done a little better securing their devices (and need I mention the ever ongoing battle for jailbreaking?) Or maybe Apple didn’t bother to try harder with device encryption because it never planned for something to happen like this?  For those who are unaware, on a jailbroken device you can bypass the Apple device encryption using SSH, ccrypt and a little reading of this article here.  So, it doesn’t matter if the device is jailbroken or not, it can still be compromised if you know how.

Granted, that article is a little dated but you get the idea.  Specifically, the scary part is where it says that while the data on the device is encrypted it becomes unenecrypted as soon as the device boots up (e.g. after you enter your passcode), so, you bypass the passcode and the phone thinks it has booted up and all the encrypted data becomes yours.

The real question though is that if Apple designed iOS encryption so that even they cannot break it if the FBI does succeed in cracking the encryption has Apple been lying to us the whole time?  There is an interesting article here about how Apple’s encryption is tied to the unique UID of each iOS device and how they use what is called a ‘secure enclave’ to stop the UID getting cracked.  It is quite a complex and lengthy read but it basically says that there is no way that the encryption can be cracked, not even by Apple, because that is how Apple designed it.  Lock the door and throw away the key.

So, everything sounds secure?  Right?

How secure is secure?

For this case Apple gave the FBI four methods to use to get data from the iPhone 5C.  While we don’t know what the other three methods were we do know that one was of course ICloud (did I mention that it was hacked and Apple did nothing about it?).   Articles here and here explain that iCloud, while seeming a secure online backup option is not without its limitations.

In fact, those articles mention that there are off the shelf software packages people can buy that can extract the supposedly secure iCloud backups straight from someone’s iCloud account as long as you know the Apple account email address and password and that can be gained with a little social engineering and the use of the forgotten password option.

Once you have accessed the backups from the Apple ID account you use the third party software to exact and download the data to your computer and there you have it.  But here is where there is a glaring issue which was recently raised in this case.

It Is alleged that two things transpired that stopped the data from the iPhone 5C being uploaded to iCloud. This is according to Apple.

  • The device owner turned off the iCloud backup feature prior to the terrorist attack, thus terminating any future backups
  • San Bernardino county reset the iCloud password of the device without consent meaning that the passwords did not match on the phone and iCloud account so the backups ceased.

Apple engineers discovered the second point when they travelled to San Bernardino to get physical access to the device.  If the password had not been reset, they would have been able to get a more recent device backup from iCloud.

What’s more it actually turns out that the San Bernardino government has a contract with MobileIron Inc. who provide mobile device management software at the price of $4 per phone.  This software would have allowed the FBI access to the data of any device that had this software installed on it immediately.  That would have kept the FBI happy and made this whole case go away.

The software works by performing a brute force attack on the passcode until it correctly guesses what it is.  A brute force attack uses all variations of letters and numbers and words from the dictionary to literally throw every random password it can generate at the problem until it is solved.  But this takes time.  Anyone who has tied to brute force attack something so innocent as a zip file whose password you have forgotten knows that it can take months, even years and success is never guaranteed.

But the San Bernardino government failed to install the software on any of their devices.

This is because there is no countrywide policy to do so and instead departments in different counties can essentially make their own rules.  With the iPhone 5C also being the one iPhone Apple released without a fingerprint sensor and touch ID it means it is not possible to use the fingerprint of the dead terrorist to unlock the device either.

Who’s really to blame?

So far, it seems that Apple could be blamed for not adding security features such as Touch ID to their devices sooner but, for sure, the San Bernardino government is not doing itself any favours either.   Apple knows this. Apple could essentially lay the whole blame on the FBI and the fact that they changed the device password and it is because of that that no more recent data could be obtained.  So Apple are blaming the FBI and the FBI is blaming Apple. They say that because the methods they provided to access the data were not good enough they are now pushing for a backdoor instead.

And this is where Apple says no.  So, you have to wonder, what is more important overall?

The privacy of the living or the rights of the dead?

Who does Apple see as more important?  If Apple wanted to be more constitutional, they would not have immediately said that they would not honor the FBI’s request for a backdoor.  Apple surely can do it, even if it means rewriting the iOS code to do so.  They just seem to be favouring the privacy rights of the living instead, after all, Apple has to protect its bottom-line as well.

On the other hand, has the FBI been waiting for a case like this to years to finally legitimize the need for a security backdoor in popular phone operating systems such as iOS?  And don’t forget that the device in question was loaned to the terrorist from his company also which means that surely the company is responsible for the contents of whatever is on the device, regardless of what the device is used for because we all know that though you pay good money for your device you never truly own it.

However, if Apple should give in to the FBI and create the backdoor it means that, should that backdoor fall in to the wrong hands, every encrypted iPhone or iPad device is now at risk and could easily be compromised.  That means that our privacy is no longer safe. It is no wonder that Edward Snowden, via Twitter, is following this case closely. Linking specifically to this article which explains how you can set a custom 11-digit passcode for your device that even the FBI couldn’t crack, even if they do get their backdoor.

Our thoughts and conclusion

Privacy is something that ironically you may think we believe that everyone is entitled to.  Everyone always says to set a strong password on your online sites and your smartphone devices and now it is slowly dawning on people the value of actually doing this. It isn’t fair that the FBI should get their backdoor because we have a right to privacy but, on the other hand, getting information from the device of a terrorist could also help prevent further attacks so we see both sides of the story.

It is hard to pick sides on this, and this case will be long and drawn out and could have ramifications for all of us when it comes to digital security and privacy.  Right now though something else is brewing.  A warning of sorts that could taint the Apple brand.

Apple always believed that it had a ‘killer’ phone, with ‘killer’ apps and ‘killer’ hardware and software and it is proud of all its devices and that is what helped it become the technology titan it is today. But whatever the results of this case turn out to be, in the eyes of many people already Apple already has the ‘killer’ device that they have been wanting all along. Except this time, it is the ‘killer’ device for all the wrong reasons and is seen already as enabling terrorism.

Whether or not Apple can shake off this image, and any boycotts it may endure, remains to be seen. I think it can but the nature of this case and the evidence on both sides is what makes this this case one of the most interesting in recent times for online privacy advocates.  Can you put a price on this entire situation?  It seems $4 a month is pretty cheap.  Unfortunately, for whatever reason, the total cost of this entire case, for Apple, for the FBI, for our privacy and for our freedom is going to be far greater.